SkillSlap
active

Dependency Auditor

Safe

Audits dependencies for CVEs, outdated versions, license compliance, and unused packages. Auto-fix mode patches and cleans up safely.

@atapifire/dependency-auditor

security
dependencies
audit
devops

Dependency Auditor

Purpose: Audit project dependencies for security vulnerabilities, license compliance, outdated versions, and unused packages.

Invocation

code
/deps-audit [--fix] [--severity critical|high|all]

Audit Phases

Phase 1: Security Vulnerabilities

Run the native audit tool:

bash
# Node.js
npm audit --json

# Python
pip-audit --format=json

# Go
govulncheck ./...

# Rust
cargo audit --json

Parse results and rank by severity (critical → low).

Phase 2: Outdated Packages

bash
npm outdated --json

Categorize updates:

  • Patch (1.2.3 → 1.2.4) — Safe to auto-update
  • Minor (1.2.3 → 1.3.0) — Usually safe, check changelog
  • Major (1.2.3 → 2.0.0) — Breaking changes likely, review migration guide

Phase 3: License Compliance

Check all dependency licenses against project policy:

LicenseStatus
MIT, Apache-2.0, BSDAllowed
ISC, UnlicenseAllowed
GPL-2.0, GPL-3.0Warning — viral copyleft
AGPL-3.0Blocked — requires open-sourcing
SSPL, BSLBlocked — non-OSS
No licenseBlocked — no usage rights

Phase 4: Unused Dependencies

Detect packages in package.json not imported anywhere:

bash
# Find all imports in source
grep -rh "from ['\"]" src/ | sed "s/.*from ['\"]//;s/['\"].*//" | sort -u

# Compare with package.json dependencies

Output Report

code
## Security Vulnerabilities (3 found)

🔴 CRITICAL | lodash@4.17.20 | Prototype Pollution (CVE-2021-23337)
  Fix: npm install lodash@4.17.21

🟡 MEDIUM | axios@0.21.1 | SSRF via crafted URL
  Fix: npm install axios@0.21.4

## Outdated (12 packages)

| Package | Current | Latest | Type |
|---------|---------|--------|------|
| react | 18.2.0 | 19.1.0 | Major |
| typescript | 5.3.3 | 5.7.2 | Minor |
| vitest | 1.6.0 | 1.6.1 | Patch |

## License Issues (1 found)

⚠️ WARNING | chart.js@4.4.0 | MIT ✓
  Dependency `chartjs-color` uses GPL-2.0

## Unused Dependencies (2 found)

- `moment` — not imported anywhere (consider removing)
- `lodash.merge` — only used in removed test file

Auto-Fix Mode

With --fix:

  1. Apply all patch updates
  2. Apply minor updates for packages with no breaking changelog entries
  3. Remove confirmed unused packages
  4. Re-run tests to verify nothing breaks
  5. Commit: chore(deps): security patches and cleanup

Playground

<!DOCTYPE html><html><head><meta charset='utf-8'><style>*{box-sizing:border-box;margin:0;padding:0}body{background:#0d1117;color:#e6edf3;font-family:monospace;font-size:12px;height:100vh;display:flex;flex-direction:column;overflow:hidden}.header{background:#161b22;border-bottom:1px solid #30363d;padding:8px 14px;font-size:11px;color:#8b949e;display:flex;justify-content:space-between;align-items:center;flex-shrink:0}.title{color:#58a6ff;font-weight:bold;font-size:13px}.panels{display:flex;flex:1;overflow:hidden}.panel{flex:1;overflow:auto;padding:12px;border-right:1px solid #30363d}.panel:last-child{border-right:none}.label{font-size:10px;color:#8b949e;text-transform:uppercase;letter-spacing:.08em;margin-bottom:6px}pre{white-space:pre-wrap;word-break:break-word;line-height:1.5}</style></head><body><div class='header'><span class='title'>Dependency Auditor</span><span>Example · SkillSlap</span></div><div class='panels'><div class='panel'><div class='label'>Input: package.json deps</div><pre><span style='color:#8b949e'>"dependencies": {</span>

<span style='color:#8b949e'> "express": "4.18.2",</span> <span style='color:#8b949e'> "lodash": "3.10.1",</span> <span style='color:#8b949e'> "jsonwebtoken": "8.5.1",</span> <span style='color:#8b949e'> "axios": "1.6.0",</span> <span style='color:#8b949e'> "moment": "2.29.4"</span> <span style='color:#8b949e'>}</span></pre></div><div class='panel'><div class='label'>Output: Audit report</div><pre><span style='color:#f85149'>🔴 lodash 3.10.1 → 4.17.21</span> <span style='color:#8b949e'>Prototype pollution: CVE-2019-10744</span> <span style='color:#8b949e'>High severity. Update immediately.</span>

<span style='color:#f85149'>🔴 jsonwebtoken 8.5.1 → 9.0.2</span> <span style='color:#8b949e'>Auth bypass: CVE-2022-23539</span> <span style='color:#8b949e'>Critical. Breaks JWT verification.</span>

<span style='color:#e3b341'>🟡 moment 2.29.4</span> <span style='color:#8b949e'>Unmaintained (archived 2022).</span> <span style='color:#8b949e'>Migrate to date-fns or dayjs.</span>

<span style='color:#3fb950'>✅ express 4.18.2 — OK</span> <span style='color:#3fb950'>✅ axios 1.6.0 — OK</span>

<span style='color:#8b949e'>Action: npm update lodash jsonwebtoken</span></pre></div></div></body></html>

Dormant$0/mo

$20 more to next tier

Created by

AT

atapifire

Ready to contribute.

Info

Created February 18, 2026
Version 1.0.0
User-invoked
Terminal output

Embed

Add this skill card to any webpage.

<iframe src="https://skillslap.com/skill/06567cfa-7b9f-4267-ba28-6ea52adfdc52/embed"
        width="400" height="200"
        style="border:none;border-radius:12px;"
        title="SkillSlap Skill: Dependency Auditor">
</iframe>

Export

SKILL.mdClaude Code formatCLAUDE.mdProject context formatMCP ToolCline/Codex JSON.mdcCursor rules formatRaw MarkdownPlain contentBundleAll files + manifest